Abstract: A method performed by an authentication server for provisioning a user equipment (1), UE. The method comprises: obtaining a message authentication code, MAC, based on a provisioning key specific to the UE to the UE and a privacy key of a home network (3) of the UE, wherein the provisioning key is a shared secret between the authentication server (14) and the UE and the privacy key comprises a public key of the home network; and transmitting the privacy key and the MAC to the UE. Methods performed by a de-concealing server and the UE, respectively are also disclosed as well as authentication servers, de-concealing servers and UEs. A computer program and a memory circuitry (13) are also disclosed.

Abstract: A method performed by a wireless device includes receiving a Radio Resources Control Reject (RRCReject) message and determining whether to act on the RRCReject message based on a configuration of the wireless device. The method may also include receiving a configuration message that includes the configuration from a network node.

Abstract: Embodiments herein relate to a method performed by a detecting node (101) in a communications network (100), for detecting that a wireless device, WD, (120) associated with a first domain of the communications network (100) has been communicating with a non-legitimate device (150). The non-legitimate device (150) is a device associated with a second domain of the communications network (100). The non-legitimate device (150) impersonates a network node (110, 111, 140) of a first domain of the communications network (100). The detecting node (101) obtains information regarding one or more protocol events related to the communication between the WD (120) and a first network node (110, 111, 140). The information comprises a time instance related to the one or more protocol events. The detecting node (101) determines, based on the time instance and a set of time limits related to the one or more protocol events, that the WD (120) has been communicating with the non-legitimate device (150).

Abstract: A communication device, network node and methods therein in for handling network slices in a wireless communication network are disclosed. The communication device encrypts Network Slice Selection Assistance information, NSSAI, using public key cryptography and includes the encrypted NSSAI in a Non Access Stratum, NAS, registration request. Then the communication device sends a Radio Resource Control, RRC, request to the network node including the NAS registration request. The network node receives the RRC connection request from the communication device and selects a network function based on information in the RRC connection request. The network node forwards the NAS registration request to the network function and forwards to the communication device a NAS registration response received from the network function after the network function decrypting the NSSAI using a PLMN private key.

Abstract: Core network equipment is configured for use in a core network of a wireless communication system. The core network equipment is configured to switch switching to using a new non-access stratum, NAS, security context between a user equipment and the core network equipment. The core network equipment is also configured to, during or in association with a handover procedure for handover of the user equipment, signal from the core network equipment that the new NAS security context between the user equipment and the core network equipment is to be used as a basis for an access stratum (AS) security context between the user equipment and radio access network equipment.

Abstract: A method of operating a network device in a serving network for providing regulation compliant privacy in a communications network is provided. Operations of such methods include obtaining a concealed subscription identifier from a user equipment, UE, that is associated with a home network, HN, obtaining a permanent subscription identifier that is associated with the concealed subscription identifier from the HN, determining whether the concealed subscription identifier from the UE corresponds to the permanent subscription identifier from the HN, and responsive to determining that the concealed subscription identifier from the UE corresponds to the permanent subscription identifier from the HN, performing further operations to provide service to the UE.

Abstract: Systems and methods are described for redirecting a user equipment with a routing misconfiguration. An exemplary method includes detecting a potential misconfiguration associated with the user equipment or a subscriber identity module (SIM) associated with the user equipment and generating an error code indicating the potential misconfiguration associated with the user equipment of the SIM associated with the user equipment. The error code is transmitted to an authentication module and indicates that the misconfiguration is an incorrect routing identifier and includes additional user information.

Abstract: A wireless device requests a network slice from a network by, first, identifying at least one network slice to be requested. Based on a mapping method that is specific to the wireless device, the wireless device forms a slice pseudonym for the or each network slice to be requested. The wireless device then transmits a request message to the network, wherein the request message comprises the or each slice pseudonym. The network node receives the request message sent by the wireless device, wherein the request message comprises at least one slice pseudonym. Based on a mapping method that is used by the wireless device and that is specific to the wireless device, the network node identifies at least one requested network slice from the or each received slice pseudonym. The network node then permits use of the requested network slice.

Abstract: A method in a user equipment (UE) to verify an authenticity of a network, in response to providing a Control Plane Service Request (CPSR) non-access stratum (NAS) message comprising user data to a first network node of the network, includes the steps: obtaining an indication from the first network node; verifying an authenticity of the indication; and determining that the user data has been successfully delivered.

Abstract: A method for re-establishing a Radio Resource Control (RRC) connection between a UE and a target eNB. The method is performed by the UE. The method includes the UE receiving an RRC Connection Reestablishment message from the target eNB, the RRC Connection Reestablishment message including a DL authentication token which has been generated by an MME and has had a Non Access Stratum integrity key as input. The method also includes the UE authenticating the received DL authentication token.

Abstract: A User Equipment, UE, (120), a network node (110, 111, 140) and methods therein, for detection that the UE has been communicating with a non-legitimate device (150) which impersonates a network node of a legitimate network. In this method, the UE or the network node obtains information regarding technical details of the transmission of a service received by the UE, wherein the information comprises a generation of the RAT/mobile network used for the transmission. The UE then provides the technical details to a user of the UE and/or to an application on the UE. The network node is also able to determine that the service was received from the non-legitimate device when the technical details do not correspond to the technical details expected for the legitimate network.

Abstract: A method and a User Equipment, UE (120) for detecting that the UE has received a fraudulent missed call, e.g. from a non-legitimate device (150). When receiving a missed call which is ended before a user of the UE has answered the incoming call, the UE determines the duration of the missed call, and indicates, e.g. to a user of the UE, the 5 duration of the missed call. The missed call may be determined as potentially fraudulent if the duration of the missed call is below or equal to a predetermined threshold.

Abstract: A method is provided to operate a CN node to determine UP security activation. A UP session establishment request is obtained for a wireless device. An indication is obtained that the UP session establishment request is associated with an emergency session and/or that null ciphering and/or null integrity protection are applied to a CP associated with a CP session for the wireless device. It is determined that a UP should be configured for the UP session without activating integrity and/or confidentiality protection for the UP based on the indication. A UP security policy is provided to a RAN node associated with the wireless device, wherein the UP security policy indicates to configure the UP for the UP session without activating integrity and/or confidentiality protection based on determining that a UP should be configured for the UP session without activating integrity and/or confidentiality protection.

Abstract: A network node (30A, 30B) is configured for use in a wireless communication network (10). The network node (30A, 30B) is configured to acquire radio access capability information (28) of a wireless device (14). The radio access capability information (28) of the wireless device (14) indicates radio access capabilities of the wireless device (14). The network node (30A, 30B) is configured to determine if the wireless communication network (10) received the radio access capability information (28) of the wireless device (14) before access stratum security (24) was activated for the wireless device (14).

Abstract: The disclosure relates to methods of validating a SUCI implemented by a network node in a mobile network. The network node receives a message including the SUCI. Responsive to receipt of the message, the network node obtains a first set of encryption parameters used to generate the SUCI. The network node uses the first set of encryption parameters to de-conceal the SUCI to obtain subscription information associated with a subscription. Subsequently, the network node obtains a second set of encryption parameters associated with the subscription using the subscription information and validates the SUCI based on the second set of encryption parameters. As one example, the network node validates the SUCI by comparing the first set of encryption parameters to the second set of encryption parameters and determining if there is a match.

Abstract: A method for improving data transmission security at a user equipment comprises receiving, from a source network node, a connection release message including instructions for computing a hash value for data to be included in a connection request message; computing the hash value based on the instructions included in the connection release message; calculating a token based on the hash value, and sending, to a target network node, the connection request message including the token. The method may further forward the data from the target network node directly to a gateway after the token has been verified. The method may reduce a signaling overhead by having a fixed-size hash value for data. Furthermore, the method may improve a transmission security by including the token in an RRC message, in which the token is calculated based on the hash value representing the data.

Abstract: Core network equipment is configured for use in a core network of a wireless communication system. The core network equipment is configured to switch switching to using a new non-access stratum, NAS, security context between a user equipment and the core network equipment. The core network equipment is also configured to, during or in association with a handover procedure for handover of the user equipment, signal from the core network equipment that the new NAS security context between the user equipment and the core network equipment is to be used as a basis for an access stratum (AS) security context between the user equipment and radio access network equipment.

Abstract: A method of operation of a control node (400, 700, 1000) in a mobile communications network, the method comprising: receiving a request for authorization from a user equipment (500, 800, 1100); determining whether the request for authorization includes evidence that the user equipment is authorized by a trusted traffic authority; and processing the request for authorization only if the request for authorization includes evidence that the user equipment is authorized by the trusted traffic authority. Methods for the user equipment and a trusted authority device, as well as corresponding devices, computer programs and computer program products are also disclosed.

Abstract: A network function performs a method to identify an invalid subscription concealed identifier, SUCI. When the network function receives a message containing a SUCI, it determines a size of the SUCI contained in the received message, and also determines an expected size of the SUCI in the received message. The network function then determines whether the size of the SUCI contained in the received message satisfies a criterion associated with the expected size. If the size of the SUCI contained in the received message does not satisfy the criterion associated with the expected size, the network function determines that the SUCI in the received message is invalid, and it rejects the SUCI in the received message if it is determined to be invalid.

Abstract: A method for re-establishing a Radio Resource Control, RRC, connection between a User Equipment (1), UE, and a target evolved NodeB (3), target eNB, the method being performed by the UE (1) and comprising: receiving (S100) an RRC Connection Reestablishment message from the target eNB (3), the RRC Connection Reestablishment message including a downlink, DL, authentication token which has been generated by a Mobility Management Entity (4) and has had a Non Access Stratum integrity key as input; and authenticating (S110) the received DL authentication token. Discloses are also UEs, target eNBs, source eNBs and Mobility Management Entities as well as methods, computer programs and computer program product related thereto.